Technology such as big data, new digital channels and the internet
of things (IoT) present huge opportunities for organisations across all
sectors. However, risk management around these new enablers is often not as
sophisticated as the new technology itself. If this continues, then business
strategies based on these new technologies will ultimately fail.
Therefore, we were delighted to be joined by senior stakeholders from across
a diverse set of businesses to share insights and questions on the topic of
cyber risk management. We asked our speaker Tim Roberts - VP, IBM and global
leader for their Security Strategy, Risk and Compliance practice, to talk us
through 'the human element' of cybersecurity, emerging threats and new
Cyber Risk not Cyber Tech!
at Cyber Security through the lens of risk management rather than purely
treating it as a technology topic provides a much wider view for the board and
executive. The role of senior management goes beyond hiring a Chief Information
Security Officer (CISO) who has a technology background and giving them a large
budget to manage risk.
Cyber Risk is not going to go away and is always
in the headlines. Late last year, the Wall St Journal produced an article
predicting the biggest cause of CEOs being fired in 2018 would be a poorly
managed cyber-attack/breach or technology failure. Cyber or Technology Risk is
much broader than a hacker trying to break in to your systems. That is part of
a spectrum of risks, which include; malicious external attacks, malicious
internal attacks and human error. And many of the biggest breaches have caused
some form of regime change in the company where they have taken place.
The Wall St Journal produced an article predicting the biggest
cause of CEOs being fired in 2018 would be a poorly managed cyber-attack.
Regulators across all industries are
focusing on Cyber Risk, especially in Financial Services where regulation is
more intrusive and involves active supervision. Front of mind for the
regulators in Financial Services for a long time has been security and privacy
as the key twin topics. However, it's also worth thinking about the related
points of resilience and data quality, ensuring your customer's data is
available and is not corrupted, for instance.
If your organisational
structure has business continuity as an entirely separate function from your
security team, privacy experts sitting in the legal function and the Chief Data
Officer worried about quality and not security, it is almost impossible to have
a joined up strategy. All these categories of risk must learn to speak the same
language. Regulators are placing greater focus on the Board. Regulators in the
US require an annual attestation from the Board that their Cyber Security is
fit for purpose. Whilst the Senior Managers and Certification Regime (SMCR) in
the UK is much broader than purely Cyber Security, organisations will have to
create a clear Cyber Security chain of command and a link from the boardroom
down to the business front line.
The Data Challenge
The issue of managing data inside the organisation is proving to be
extremely difficult for large international companies and smaller businesses
alike. Advanced analytics on customer data and the on-going management of
digital channels and services produces copious sets of data. Different
stakeholders sit around this data worrying about different things.
Privacy people are worrying about compliance and data
governance teams are concerned with how data is protected. If you are
a financial institution you have anti-money laundering experts
worrying if customers are real and genuine. Reporting functions
who are responsible for reporting to the regulator are concerned with the
Regulator's requirements. These are different tribes operating with different
agendas and speaking in different dialects about the same set of data.
Understanding where all the data is housed without falling over your own feet
presents another key challenge. For example, a data mapping exercise in one
organisation following a breach, resulted in the identification of unencrypted
customer data sitting in a test environment leaving them highly exposed. The
complexity of managing data from an internal perspective is equally challenging
as protecting your organisation from the external threat, especially when you
have multiple teams working around the same set of data.
Organisations will have to create a clear Cyber Security chain of
command and link from the boardroom down to the business.
One of the
biggest challenges for senior management is to simplify and clarify the
handling of Cyber and Data Security. It's understandable the issues around data
become complex. It's a new risk category in many ways. Historically, most
non-financial institutions have not had a great deal of data to manage. Now,
organisations are swimming in data and trying to exploit it for commercial
purposes. Companies historically had traditionally built functional areas which
have grown organically. Companies must now rationalise the data challenge and
make the management and security of data more holistic and coherent across all
functions throughout the entire organisation.
Each individual risk
category or silo approaches the challenge from different perspectives and each
has their own focus. Privacy people tend to be lawyers, security experts come
from a technology background and compliance teams come from either law or
regulation. Risk people are typically either career risk practitioners or have
transitioned from finance.
One of the global banks received a letter in
London from the PRA seeking clarity about their Cyber Security programme. Their
Compliance team knew how to handle an enquiry from the PRA supervisors, but did
not understand the content of the questions or have the expertise to respond
effectively. The bank's Security experts understood the questions, but weren't
in any way used to communicating with regulators. We therefore assisted with
their response. This seems to be a common phenomenon across financial
One of the biggest challenges for top management
is to simplify and clarify Cyber and Data Security.
Often the business
strategy is to keep racing ahead to keep up with or beat competitors and thus
out-strips the pace of risk management development, exposing the organisation
considerably. Looking back at the financial crisis, the technology to exploit
and originate opportunities in credit risk had raced ahead of the required risk
management. Some of the banks that failed did not know what they had acquired
or exactly where this credit risk sat in reality. This is analogous with what
we are seeing with digital strategies.
Responding to the challenges
This is broken down into 3 key steps:
- Master the
- Adopt an immune system approach
- Change the game
(keep moving, don't relax)
Looking at recent breaches, a lot of
them are as a result of poor decision making. They are not down to an ingenious
attack. Basic steps are not being taken such as: passwords which are not
adequately complex, poorly designed networks or failure to effectively monitor
the network. In some cases, software that has been bought externally is not
even being used or nobody has taken the time to calibrate it. Firms are not
enforcing their own Cyber Security policies they have in place. Mastering the
fundamentals is doing the very basic things, right, all of the time!
Most people gravitate towards the controls element of a Cyber Security
programme. Essentially, products they can buy to help them control the problem.
This is part of the solution, but less common are questions such as, how do we
set risk appetite for cyber risk, what metrics should we use to measure cyber
risk, who owns it or what does an overall strategy look like? Cyber Security is
still treated as something that can be delegated to Technology or done in
isolation from other functional areas.
It's very easy to get lost in
jargon, hearing weird and wonderful expressions that only exist in cyber
security. All functions use their own individual jargon, but the key is to
convert this into business language. If the security team would like new
investment, they have to articulate what it will deliver, what risk it is
addressing and how it is mitigating that risk. Essentially, what is the
business case for the new investment? Answers to these questions will always
need to be given before any money is granted by the Executive team.
If the security team would like new investment, they have to
articulate what it will deliver, what risk it is addressing and how it is
mitigating that risk. Essentially, what is the business case for the new
IBM's immune system approach brings everything together to
add up to more than the sum of the parts. Different components in the immune
system, as with the human body, will collectively protect you and reinforce
each other. IBM adopt this approach for Cyber Risk.
No firm has got the
complete answer to the problem. No provider has got all the tools an
organisation will need. Lots of new ideas are emerging within this relatively
new risk type and we all need to work together against a common enemy.
Cloud security is very different from storing data within an organisation's
own data center, operating under the same risk appetite, but requiring
different methods to get to the same risk identification. IBM is currently
helping develop a standard technology control framework with a consortium of
banks. This framework has now been mapped to 24 regulatory jurisdictions around
the world, helping companies articulate compliance with their controls.
'Change the game' is not referring to gaining competitive advantage,
moreover, getting one step ahead of your attackers, when your attacker is
relentless, well-funded and well organised. To deal with multiple types of
attacker, it's important to try and identify people who are attacking the
network, locate them and track them once they are in the network. Firms often
put in place a security operations centre (SOC), but in many cases, data being
accumulated in SOC is not being used effectively to analyse risk. We recommend
using the SOC as a centre of analytics to understand the patterns it's
producing i.e. when people are attacking you, how they are doing it and are
they repetitive and persistent? Essentially, what can be learned from this data
and can it be crystalised and presented to the board and executive? Finally,
the use of cognitive technologies to monitor networks is a huge benefit to
organisations and an increasing trend being witnessed.
the presentation, guests were invited to share observations or ask Tim
“There are existing forums and collaborations. For
example, Cyber & Information Security Consortium CISC, an on-line platform
to share information anonymously. If organisations have a Chief Information
Security Officer (CISO) who is not talking to the Board in business language,
then you have not got a CISO. At best, you may have a Head of IT Security. A
CISO should not be from a technology background”.
Q How do you ask the
$64m question, how much is enough?
Chief Risk Officer, Challenger
A"It's a very difficult one. It's
linked to assessing risk appetite in a measurable way. IBM have a big library
of metrics which can be tailored to individual firms based on their business to
help them set risk appetite against the metrics.
Secondly, look at your
peer group and determine what they are spending and using to ensure you are at
the front of the pack and therefore not a more attractive, easy target because
you are the straggler."
Q How do you see cyber
insurance - a hindrance or a help?
Chief Risk Officer, Life
A"We are starting to better
understand how the insurers and brokers operate. Indeed, we have just signed a
partnership with Willis Towers Watson. Cyber insurance is still a market under
development. Placing too much reliance on insurance is problematic at this
stage, when factoring in quantification, claims and contributory negligence.
Having some cyber insurance is good as it contributes towards the cost of a
breach in some way, but it should not be used as a sole strategy, in my
Q In the world of disaster recovery,
people have plans but do not test them. From a Cyber Security perspective, what
is the maturity of independent testing in an organisation across the
Non-Executive Director, Major Building
A"It's variable. Within financial
services there are regulatory driven testing programmes. In other cases we do
regular testing programmes for clients outside of financial services, who are
trying to be imaginative in how they test. Some clients implement routine,
annual pen (penetration) testing. We have not yet reached a steady state to
determine what is normal. In relation to testing a disaster recovery plan, we
bring clients in to a simulated security operations centre in Boston to
rehearse an attack and they have to respond. There is a TV studio with a fake
news reporter to interview people. Essentially, we are looking for
vulnerabilities in using a fictitious scenario."
Do you assess an organisation's overall joined up architecture?
Chief Credit Officer, 1st Tier Bank
A"We do various types of testing. From testing a
particular set of narrow controls to holistic testing of people, technology and
policies. Banking is going through significant change at the moment, requiring
a more holistic approach to Cyber Risk."
Cyber Risk is the risk topic of our time,
spanning all industry sectors. Whilst progress has been made, it's apparent
that organisations are not moving as quickly as technology. The status of Cyber
Risk within many businesses does not appear to be comparable with other risk
categories - credit risk in banking, for instance. Breaking down silos and
adopting a truly holistic approach to Cyber Risk requires strong support and
leadership from the Board and Executive teams. Cyber security needs to win over
the hearts and minds of the people within the business to provide an effective
defence against both the obvious external threats and less obvious internal